.svg)
The European Banking Authority (EBA) has conceded that the 90-day account renewal rule has hindered customer retention for account information service providers (AISPs) and has announced that it will be making an amendment.
The EBA will be launching a new consultation before the year is up on how it can amend the regulatory technical standards for re-authentication.
Officials from both the European Commission and the EBA had previously expressed concerns about the success of the compliance requirement, with the EBA’s payments chief, Dirk Haubrich, telling a conference in April that he thinks the rule needs to be revisited.
It is also on the wishlist of payments players to be addressed as part of the European Commission’s upcoming review of the revised Payment Services Directive (PSD2).
The EBA made the announcement as part of the latest set of clarifications by participants in its application programme interface (API) working group. It agreed in reference to the 90-day re-authentication rule that the application of the exemption under Article 10 of the regulatory technical standards (RTS) on strong customer authentication has led to undesirable outcomes for accounts.
"It is great to see that the EBA is sensitive to the concerns raised by AISPs," said Jan Van Vonno, research director at Tink. "With this clarification, the EBA recognises that the 90-day re-authentication is not risk-proportionate to other payment services such as direct debit mandates."
The 30-member working group, which includes people from some of the EU's largest banks, such as Deutsche Bank and BNP Paribas, as well as France’s payments infrastructure provider STET and open banking organisations Berlin Group, TrueLayer and Tink, had claimed AISPs are losing a large part of their customers every time they are asked to re-authenticate. This was due to the added friction to users caused by the authentication experience offered by account servicing payment service providers (ASPSPs, i.e., typically banks) together with the fact that the strong customer authentication (SCA) exemption under Article 10 of the RTS has not been applied consistently by ASPSPs.
According to the submission, this has prompted a more frequent application of SCA for customers using account information services, including every time the end-user accesses their account online.
"The 90-day re-authentication has been an issue for business models and use cases that require ongoing consent," noted Van Vonno, noting bookkeeping software, personal finance management applications, and subscription management services, as examples.
And with the obstacles still present in most PSD2 APIs, the admin overhead to manage access to multiple ASPSPs, and the frequent expirations of consents, the 90-day re-authentication presents just one of the challenges that AISPs need to overcome in Europe, he continued.
Although the EBA accepted the 90-day re-authentication rule has led to a detrimental impact on AISPs’ services, it rejected the solutions to the problem offered by the working group, claiming they were “legally not possible under the directive”.
The group had asked that rules be changed to clarify that SCA does not apply in the cases where the AISP, based on the account holder's explicit consent, accesses account information without their active involvement. It also suggested a way around this could be to allow the AISP to apply SCA directly.
If the EBA does change its 90-day re-authentication rule for AISPs, it will follow similar changes made in the UK following the country's exit from the European Union. In January, the UK’s Financial Conduct Authority (FCA) published proposed amendments to its technical standards on SCA, including a measure that would exempt customers of AISPs from having to re-authenticate every 90 days. These amendments were confirmed in May 2021.
"The question remains whether the EBA will propose changes similar to what the FCA has proposed in the UK, which is to replace 90-day re-auth with 90-day re-consent, or if it will propose measures to change the optional SCA exemption into a stipulation," said Van Vonno.
Best of the rest
For the bulk of other submissions from the group, the EBA declined to answer and instead submitted them to its Q&A tool, where they will be answered in due course.
This includes questions relating to whether the Electronic Banking Internet Communication Standard (EBICS) falls within the scope of PSD2, as well as the inability to initiate bulk payments via APIs in one of the EU’s member states.
The EBA also responded to a question regarding ASPSPs often rejecting a payment without specifying the reason for doing so.
“TPPs (third-party payment providers) need to take proactive actions in order to understand the reason why the payment had been rejected,” the submission said, adding that some ASPSPs reject payments after having previously informed a PISP that the payment has been initiated for execution.
Here, it argued that PISPs are not duly informed by the ASPSP, while also lobbying the EBA to set out the minimum set of error codes and payment status messages ASPSPs should send, something which the EBA declined to do.
“The EBA is of the view that these relate to implementations of the interfaces chosen by the ASPSPs, the specific events and errors that may occur, as well as the respective business models of TPPs,” the regulator said while pointing out that it would not set error codes for the market.
Downtime of dedicated interfaces was another topic addressed by the API working group.
It explained that some account ASPSPs inform TPPs about any planned or unplanned maintenance on their dedicated interfaces right before, sometimes in less than 24 hours, the expected start of the maintenance and subsequent unavailability of the interface.
“Subsequently, TPPs do not have sufficient time to prepare to switch to the interface made available to the payment service user (PSU) for the authentication and communication with the ASPSP,” the submitter pointed out, continuing that ASPSPs can announce planned or unplanned unavailability of their dedicated interfaces to TPPs by email, which does not allow them to react quickly enough as the email may not get noticed by staff.
Here, the EBA said that the downtime of API needs to be announced and communicated to TPPs via whatever channel banks deem appropriate. “ASPSPs are not prevented from using email for this purpose,” the EBA said.
